[FIXED] Security Advisory: DWG import/export with ODA file converter

Here's the place for discussion related to coding in FreeCAD, C++ or Python. Design, interfaces and structures.
Forum rules
Be nice to others! Respect the FreeCAD code of conduct!
eldstal
Posts: 3
Joined: Thu Dec 23, 2021 12:17 am

[FIXED] Security Advisory: DWG import/export with ODA file converter

Post by eldstal »

Summary
When FreeCAD is configured to use the ODA file converter, a DWG file with a crafted filename is able to trigger a Remote Code Execution vulnerability.

A ticket is open in the bug tracker, since I'm quite certain this needs patching.

Vulnerable Version
FreeCAD_weekly-builds-26683 and older

Steps to reproduce
1. Configure DWG import using the ODA file converter
2. Create and import the proof-of-concept file:
The PoC is an empty file, which can be created on a linux system using the following command:

Code: Select all

touch '";galculator;ls ".dwg'
Change `galculator` to any shell command you wish to execute.

3. `galculator` is launched by FreeCAD during DWG import.

Cause
The first parameter to subprocess.call() at importDWG.py:225 contains unsanitized user input (the filename of the DWG file). By prematurely closing the quotes, the executed command line can be modified by an attacker.


Impact
Arbitrary code execution

Proposed Mitigation
`subprocess.Popen()` is a better option to invoke the converter, since the binary can be specified by FreeCAD separately from arguments. In addition, this bypasses the system shell.

A similar flaw is present in the DWG export using ODA file converter, but this is less serious as the vector is the output filename. To verify this, try loading any project and export to a filename on one of these forms:

Code: Select all

`galculator`.dwg
";galculator;ls ".dwg
$(galculator).dwg
I'm a FreeCAD user, should I be worried?
This vulnerability is only exploitable by the filename of opened files. Therefore, be wary of importing files with strange characters (quotes, backslashes, backticks (`), dollar signs, that sort of thing) in their filenames.


Version information
OS: Arch Linux (i3/i3)
Word size of FreeCAD: 64-bit
Version: 0.20.26683 (Git) AppImage
Build type: Release
Branch: (HEAD detached at 0388fbc)
Hash: 0388fbc98d49d874fb341b9037a743bc691d501f
Python version: 3.9.7
Qt version: 5.12.9
Coin version: 4.0.0
OCC version: 7.5.3
Locale: English/United States (en_US)
Attachments
dwg_oda_rce.zip
The proof-of-concept DWG file which runs galculator.
(192 Bytes) Downloaded 158 times
Last edited by eldstal on Tue Dec 28, 2021 9:05 pm, edited 3 times in total.
User avatar
Kunda1
Veteran
Posts: 13434
Joined: Thu Jan 05, 2017 9:03 pm

Re: Security Advisory: DWG import with ODA file converter

Post by Kunda1 »

Moved to Developers corner subforum
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
wmayer
Founder
Posts: 20243
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: Security Advisory: DWG import/export with ODA file converter

Post by wmayer »

A similar issue from two years ago: https://forum.freecadweb.org/viewtopic.php?f=3&t=39683
wmayer
Founder
Posts: 20243
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: Security Advisory: DWG import/export with ODA file converter

Post by wmayer »

Since I don't have the Teigha converter installed I simulate it with this simple Python script

Code: Select all

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import sys
print (sys.argv)
that is located under /tmp/teigha

Now the issue can be reduced to this Python snippet:

Code: Select all

import subprocess

teigha="/tmp/teigha"
indir="indir"
outdir="outdir"
basename='";galculator;ls ".dwg'

cmdline = '"%s" "%s" "%s" "ACAD2000" "DXF" "0" "1" "%s"' % (teigha, indir, outdir, basename)

subprocess.call(cmdline, shell=True)
This will start the application galculator.

There are several ways to escape the string cmdline. In a SO article the built-in function repr() was suggested:

Code: Select all

subprocess.call(repr(cmdline), shell=True)
This will do nothing and returns the error code 127. When FreeCAD is started from the terminal you will get this error message:
/bin/sh: 1: "/tmp/teigha" "indir" "outdir" "ACAD2000" "DXF" "0" "1" "";galculator;ls ".dwg": not found
So, this "solution" can be ignored.

An alternative is suggested here that uses pipes.quote():

Code: Select all

import pipes

commandargs = [teigha, indir, outdir, "ACAD2000", "DXF", "0", "1", basename]
cmdline = " ".join(map(pipes.quote, commandargs))
subprocess.call(cmdline, shell=True)
This works as expected. subprocess.call() returns 0 and the expected output in the terminal is:
['/tmp/teigha', 'indir', 'outdir', 'ACAD2000', 'DXF', '0', '1', '";galculator;ls ".dwg']
Since subprocess.call() also accepts a list as program arguments there is no need to create a string and instead the list can be directly passed:

Code: Select all

cmdline = [teigha, indir, outdir, "ACAD2000", "DXF", "0", "1", basename]
subprocess.call(cmdline)
or with the more modern Popen

Code: Select all

cmdline = [teigha, indir, outdir, "ACAD2000", "DXF", "0", "1", basename]
proc=subprocess.Popen(cmdline)
proc.wait()
The last two snippets only work correctly when "shell=True" is not set. And according to https://docs.python.org/3/library/subpr ... iderations this should be avoided anyway.
User avatar
chennes
Veteran
Posts: 3879
Joined: Fri Dec 23, 2016 3:38 pm
Location: Norman, OK, USA
Contact:

Re: Security Advisory: DWG import/export with ODA file converter

Post by chennes »

That last snippet is how the other DWG converters are called, isn't it?
Chris Hennes
Pioneer Library System
GitHub profile, LinkedIn profile, chrishennes.com
wmayer
Founder
Posts: 20243
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: Security Advisory: DWG import/export with ODA file converter

Post by wmayer »

chennes wrote: Tue Dec 28, 2021 2:44 pm That last snippet is how the other DWG converters are called, isn't it?
Yes, but instead of wait() they call communicate().
eldstal
Posts: 3
Joined: Thu Dec 23, 2021 12:17 am

Re: [FIXED] Security Advisory: DWG import/export with ODA file converter

Post by eldstal »

Good job getting at this so quickly!

Thanks, have a happy new year and good luck with the 0.20 release!
eldstal
Posts: 3
Joined: Thu Dec 23, 2021 12:17 am

Re: [FIXED] Security Advisory: DWG import/export with ODA file converter

Post by eldstal »

This vulnerability has been assigned CVE-2021-45844.
User avatar
Kunda1
Veteran
Posts: 13434
Joined: Thu Jan 05, 2017 9:03 pm

Re: Security Advisory: DWG import/export with ODA file converter

Post by Kunda1 »

wmayer wrote: Tue Dec 28, 2021 3:17 pm git commit 1742d7ff82
Hi wmayer, did this get backported? (or in the works?)
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
Post Reply